Author: eevans
Date: Tue Sep 28 23:00:45 2010
New Revision: 1002400
URL: http://svn.apache.org/viewvc?rev=1002400&view=rev
Log:
Check for permissions to modify the keyspace list.
Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
Modified:
cassandra/trunk/src/java/org/apache/cassandra/hadoop/ColumnFamilyRecordReader.java
cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
cassandra/trunk/src/java/org/apache/cassandra/thrift/CassandraServer.java
Modified:
cassandra/trunk/src/java/org/apache/cassandra/hadoop/ColumnFamilyRecordReader.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/hadoop/ColumnFamilyRecordReader.java?rev=1002400&r1=1002399&r2=1002400&view=diff
==============================================================================
---
cassandra/trunk/src/java/org/apache/cassandra/hadoop/ColumnFamilyRecordReader.java
(original)
+++
cassandra/trunk/src/java/org/apache/cassandra/hadoop/ColumnFamilyRecordReader.java
Tue Sep 28 23:00:45 2010
@@ -28,7 +28,6 @@ import java.util.*;
import com.google.common.collect.AbstractIterator;
-import org.apache.cassandra.auth.AllowAllAuthenticator;
import org.apache.cassandra.auth.SimpleAuthenticator;
import org.apache.cassandra.config.ConfigurationException;
Modified: cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java?rev=1002400&r1=1002399&r2=1002400&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java Tue
Sep 28 23:00:45 2010
@@ -120,6 +120,19 @@ public class ClientState
}
/**
+ * Confirms that the client thread has the given Permission for the
Keyspace list.
+ */
+ public void hasKeyspaceListAccess(Permission perm) throws
InvalidRequestException
+ {
+ if (user == null)
+ throw new InvalidRequestException("You have not logged in");
+ List<Object> resource = Arrays.<Object>asList(Resources.ROOT,
Resources.KEYSPACES);
+ Set<Permission> perms =
DatabaseDescriptor.getAuthority().authorize(user, resource);
+
+ hasAccess(user, perms, perm, resource);
+ }
+
+ /**
* Confirms that the client thread has the given Permission in the context
of the current Keyspace.
*/
public void hasKeyspaceAccess(Permission perm) throws
InvalidRequestException
@@ -128,7 +141,17 @@ public class ClientState
throw new InvalidRequestException("You have not logged in");
if (keyspaceAccess == null)
throw new InvalidRequestException("You have not set a keyspace for
this session");
- if (!keyspaceAccess.contains(perm))
- throw new InvalidRequestException(String.format("You (%s) do not
have permission %s for %s", user, perm, keyspace));
+
+ hasAccess(user, keyspaceAccess, perm, resource);
+ }
+
+ private static void hasAccess(AuthenticatedUser user, Set<Permission>
perms, Permission perm, List<Object> resource) throws InvalidRequestException
+ {
+ if (perms.contains(perm))
+ return;
+ throw new InvalidRequestException(String.format("%s does not have
permission %s for %s",
+ user,
+ perm,
+
Resources.toString(resource)));
}
}
Modified:
cassandra/trunk/src/java/org/apache/cassandra/thrift/CassandraServer.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/thrift/CassandraServer.java?rev=1002400&r1=1002399&r2=1002400&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/thrift/CassandraServer.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/thrift/CassandraServer.java
Tue Sep 28 23:00:45 2010
@@ -35,7 +35,6 @@ import org.apache.cassandra.utils.FBUtil
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.cassandra.auth.AllowAllAuthenticator;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.concurrent.StageManager;
import org.apache.cassandra.config.ConfigurationException;
@@ -755,18 +754,13 @@ public class CassandraServer implements
public String system_add_keyspace(KsDef ks_def) throws
InvalidRequestException, TException
{
- // IAuthenticator was devised prior to, and without thought for,
dynamic keyspace creation. As
- // a result, we must choose between letting anyone/everyone create
keyspaces (which they likely
- // won't even be able to use), or be honest and disallow it entirely
if configured for auth.
- // See CASSANDRA-1271 for a proposed solution.
- if (!(DatabaseDescriptor.getAuthenticator() instanceof
AllowAllAuthenticator))
- throw new InvalidRequestException("Unable to create new keyspace
while authentication is enabled.");
-
+ state().hasKeyspaceListAccess(Permission.WRITE);
+
int totalNodes = Gossiper.instance.getLiveMembers().size() +
Gossiper.instance.getUnreachableMembers().size();
if (totalNodes < ks_def.replication_factor)
throw new InvalidRequestException(String.format("%s live nodes are
not enough to support replication factor %s",
totalNodes,
ks_def.replication_factor));
-
+
//generate a meaningful error if the user setup keyspace and/or column
definition incorrectly
for (CfDef cf : ks_def.cf_defs)
{
@@ -815,11 +809,7 @@ public class CassandraServer implements
public String system_drop_keyspace(String keyspace) throws
InvalidRequestException, TException
{
- // IAuthenticator was devised prior to, and without thought for,
dynamic keyspace creation. As
- // a result, we must choose between letting anyone/everyone create
keyspaces (which they likely
- // won't even be able to use), or be honest and disallow it entirely
if configured for auth.
- if (!(DatabaseDescriptor.getAuthenticator() instanceof
AllowAllAuthenticator))
- throw new InvalidRequestException("Unable to create new keyspace
while authentication is enabled.");
+ state().hasKeyspaceListAccess(Permission.WRITE);
try
{
